A Cyber-Attack on a U.S. Election is Inevitable
Since Direct Recording Electronic voting machines first came into vogue in the U.S. in 2002, a team of cyber-academics (known as the Princeton Group) has been busy demonstrating how easy it is to hack these machines, to remind American citizens just how cyber-vulnerable the voting process is. From their first successful hack into a DRE 15 years ago, they surmised that it was just a matter of time until a cyber-attack occurred in a national election. This summer’s cyberattack of the Democratic National Committee has shed light on how such events can potentially affect this, and future, elections. Given the apparent ease with which the attack occurred on the DNC, is there any real reason to believe the same cannot, or will not, occur in November?
The DNC hack has certainly captured the attention of the government, with DHS Secretary Johnson acknowledging that the nation’s electoral system is indeed vulnerable, and that it has a long way to go achieve meaningful cyber security in the voting booth. To underscore the point, consider that the U.S. electoral system is not even governed by a national body, but rather each state. There are more than 8,000 separate electoral jurisdictions that are, in the end, governed by city, county and state governments.
No offense to the election officials in these jurisdictions, but the vast majority are middle aged volunteers. Neither they, nor the institutions they represent, have meaningful orientation toward or experience in cyber security. Given this, and the absence of federal government oversight, it is clear that we are terribly vulnerable.
The Princeton Group’s message is simplistically clear: the latest generation of smart phones are more secure than DREs, and as a result, there are many critical areas in the vote gathering and counting process that are at risk. Although some voting district officials have commenced the process of becoming less reliant on DREs — replacing them with alternatives such as optical scanners — those DREs that remain are increasingly obsolete, with aging software and large cyber ‘holes’ that may be exploited. Hundreds of digital-only precincts remain, many in swing states, and they become less secure with each passing year.
Since the Chinese government successfully hacked into the Office of Personnel Management last year and stole the personal information of some 22 million government employees, can there be any doubt that a government (or person) with an inclination to influence the outcome of an American election can indeed do so? Given that states constantly hack into each-others’ computer systems, it is clear not only that electoral hacking will continue, and that there is little that can be done to stop it. Although the DNC hack was attributable to Russia, President Obama said it would not affect bilateral relations. Last month, Russia announced that about 20 Russian government organizations had been targeted by spyware, though it stopped short of attributing the infiltration to any specific state or actor. Payback, perhaps?
Some 28 states – including the swing states of Florida and Ohio – still use digital technology in their voting process, and most of these continue to use Windows software from the 1990s and early 2000s. While DREs are programmed individually, an attacker with access to the administration system that is used to program the memory cartridges before an election can distribute malicious code to all machines being used. Whether a DRE or optical scanner is being used, votes are tallied on a memory card, which is fed into a central system that can be used to infect the tabulating system, which can also be infected. Given how antiquated the entire voting system appears to be, and how many gaps there are in the system, governing authorities have a monumental task on their hands.
Even though the DNC apparently received a warning from the government that an attack was likely to occur, its failure to implement additional security measures led to what was in essence a breach of national security. Taken to a new level, this week’s NSA cyber-attack has made it clear that there is not much that hackers cannot do. What once seemed to be a ‘remote’ possibility – cyber-attacks throughout the most sensitive parts of the U.S. government – are now becoming commonplace. Given the stakes implied, there is no choice, therefore, but to enhance America’s voting process and bring it into the 21st century.
Last year, the Brennan Center for Justice conducted an extensive survey of 100 specialists familiar with voting technology and election officials in all 50 states. Its findings are sobering. Among them are that 43 states are using some machines that will be at least 10 years old in 2016, nearly every state is using some machines that are no longer manufactured (with many election officials struggling to find replacement parts), and the biggest risk is increased failures and crashes (which can lead to lost votes).
Election jurisdictions in at least 31 states wanted to purchase new voting machines in the next five years, and officials from 22 of these states said they did not know where they would get the money to pay for them. The Center estimates the initial national cost of replacing equipment over the next few years could exceed $1 billion (in other words, less than the total amount candidates have spent this election cycle to get elected president of the U.S.). The concern expressed by some officials was that without federal or state funding, wealthier counties will be in a position to replace aging machines, while poorer counties will be forced to use them far longer than they should, subjecting the poor to potential greater levels of security breaches.
Just as America’s critical infrastructure is increasingly vulnerable to collapse, its voting system is increasingly vulnerable to attack. Congress should change the U.S. voting system to introduce federal oversight and allocate more federal money to fix this problem. A failure to do so will guarantee that one or more cyber-attacks will occur – possibly in November, and certainly in coming elections. In the era of man-made risk, we cannot afford to merely remain reactive, or hesitate to take decisive action. The electoral process is a matter of national security and should become a legislative priority when Congress reconvenes in September.